How an email attack exploited Microsoft’s multi-factor authentication
Mitiga says that MFA, even if improperly configured, is no panacea for preventing attackers from abusing compromised credentials.
Multi-factor authentication (MFA) is often cited as one of the best security methods available to secure sensitive accounts and credentials. Even if the password is leaked or stolen, the hackers can’t use it to log into the account without that second form of authentication. But to be effective, MFA must be properly and securely configured; otherwise, a savvy cyber criminal can find ways to circumvent it.
A report released Wednesday, August 24, by security advisory firm Mitiga looks at a recent business email compromise campaign against an organization that uses Microsoft 365. The attackers were able to access sensitive information by exploiting weak default configurations in Microsoft’s multi-factor authentication, according to Mitiga. Though the people in the targeted organization were able to prevent any fraudulent activity, the incident does serve as a warning about the improper setup of MFA.
In this attack, cyber criminals gained unauthorized access to the Microsoft 365 account of an executive in an organization from multiple locations, including Singapore; Dubai; and San Jose, California.
The attackers were able to compromise the user’s account and mailbox through an adversary-in-the-middle (AiTM) tactic. With an AiTM trick, an adversary creates a proxy server between the victim and the website to be accessed, allowing them to capture the target’s passwords and browser session cookies.
To protect the victim’s account, the organization had implemented Microsoft MFA through the Microsoft Authenticator app, which should have stopped any use of stolen credentials. Upon further analysis, Mitiga found that a second Authenticator app had been set up without the victim’s knowledge, providing the attackers with the means to continue to use the breached account.
Microsoft MFA doesn’t always require a second form of authentication
The problem, according to Mitiga, lies in the weak default settings for Microsoft MFA. This technology works by deciding when to require that second form of authentication, such as in cases when someone tries to access resources from a different IP address, requests elevated administrator privileges or attempts to retrieve sensitive data.
Analyzing the token in an active login session, Microsoft MFA determines if the session had previously been authorized. If so, the second form of authentication is not required. But this decision is solely made by the Microsoft authentication engine; customers are unable to configure it themselves, according to Mitiga.
The report cited two examples in which a decision by Microsoft MFA not to require the second form of authentication can be problematic.
One example involves the Privileged Identity Management (PIM) feature, through which administrative users can work with non-administrative rights and then use the PIM tool to elevate their permissions if and when necessary. In this case, an attacker could use PIM to elevate a compromised non-admin account into one with admin privileges.
In another example, Microsoft doesn’t require a second form of authentication when accessing and changing user authentication methods in the Security Info section of the account profile. A user who was previously authorized in a session can add a new Authenticator app without being challenged. This is how the attacker in the incident cited by Mitiga was able to continue to use the compromised account.
“Given the accelerated growth of AiTM attacks (even without the persistency allowed by an attacker adding a new, compromised, authentication method), it is clear that we can no longer rely on multi-factor authentication as our main line of defense against identity attacks,” Mitiga said in the report. “We strongly recommend setting up another layer of defense, in the form of a third factor, tied to a physical device or to the employee’s authorized laptop and phone.
“Microsoft 365 offers this as part of Conditional Access by adding a requirement to authenticate via an enrolled and compliant device only, which would completely prevent AiTM attacks.”
Tips for preventing AiTM attacks that exploit MFA
In a statement sent to TechRepublic, a Microsoft spokesperson also offered recommendations on how to stop AiTM attacks that can exploit multi-factor authentication.
“AitM phishing is important to be aware of, and we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files or accepting file transfers,” the spokesperson said. “We recommend that customers use Azure AD Conditional Access to set up specific rules for allowed risk levels, locations, device compliance and other requirements to prevent registration of new creds by adversaries.
“Where possible, we also recommend using phishing-resistant credentials like Windows Hello or FIDO. To help protect customers against this type of attack, Authenticator offers context information to warn the user that their location isn’t familiar or that the app isn’t the one they’re expecting.”
Further advice comes from Aaron Turner, CTO for SaaS Protect at cybersecurity firm Vectra. Noting that the targeted organization described by Mitiga was using a relatively weak default configuration in Microsoft 365, Turner asserted that Microsoft does provide a solution to stop AiTM attacks, but it’s one that must be hardened.
Toward that end, organizations should follow these three guidelines:
- Make sure the Self-Service Password Reset requires two factors of authentication to reset account passwords.
- Allow Microsoft Authenticator to be installed only through a Mobile Application Management or Mobile Device Management control set through Microsoft Intune.
- Set up Conditional Access policies to only allow Microsoft Authenticator to work from managed applications or from managed devices.
“This combination of controls would have protected the victim organization in this case,” Turner added. “We have observed that even these controls can be bypassed by nation-state actors, so investing in appropriate detection and response capabilities is critical to reduce the risk opportunity created by sophisticated attackers.”